From 8ddc6aa2d47ccd6a25e026c2a1bf3b07ad016d4c Mon Sep 17 00:00:00 2001
From: Dominyk Tiller <dominyktiller@gmail.com>
Date: Wed, 21 Sep 2016 20:10:35 +0100
Subject: [PATCH 1/5] sandbox: sandbox homebrew/dupes by default

---
 Library/Homebrew/sandbox.rb | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/Library/Homebrew/sandbox.rb b/Library/Homebrew/sandbox.rb
index 9392b71226..e13335e1fc 100644
--- a/Library/Homebrew/sandbox.rb
+++ b/Library/Homebrew/sandbox.rb
@@ -3,8 +3,9 @@ require "tempfile"
 
 class Sandbox
   SANDBOX_EXEC = "/usr/bin/sandbox-exec".freeze
-  SANDBOXED_TAPS = [
-    "homebrew/core",
+  SANDBOXED_TAPS = %w[
+    homebrew/core
+    homebrew/dupes
   ].freeze
 
   def self.available?

From 273affabe374c4ed2f3c852efd0fa1146790cc84 Mon Sep 17 00:00:00 2001
From: Dominyk Tiller <dominyktiller@gmail.com>
Date: Wed, 21 Sep 2016 22:14:01 +0100
Subject: [PATCH 2/5] sandbox: sandbox homebrew/fuse by default

---
 Library/Homebrew/sandbox.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Library/Homebrew/sandbox.rb b/Library/Homebrew/sandbox.rb
index e13335e1fc..6b0467f9a1 100644
--- a/Library/Homebrew/sandbox.rb
+++ b/Library/Homebrew/sandbox.rb
@@ -6,6 +6,7 @@ class Sandbox
   SANDBOXED_TAPS = %w[
     homebrew/core
     homebrew/dupes
+    homebrew/fuse
   ].freeze
 
   def self.available?

From 713437a5eff253a945ecd354e95e3d1ca76cd245 Mon Sep 17 00:00:00 2001
From: Dominyk Tiller <dominyktiller@gmail.com>
Date: Wed, 21 Sep 2016 23:14:14 +0100
Subject: [PATCH 3/5] sandbox: sandbox homebrew/devel-only by default

---
 Library/Homebrew/sandbox.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Library/Homebrew/sandbox.rb b/Library/Homebrew/sandbox.rb
index 6b0467f9a1..a21dacadd3 100644
--- a/Library/Homebrew/sandbox.rb
+++ b/Library/Homebrew/sandbox.rb
@@ -7,6 +7,7 @@ class Sandbox
     homebrew/core
     homebrew/dupes
     homebrew/fuse
+    homebrew/devel-only
   ].freeze
 
   def self.available?

From c7d75bffeb05662a42be67f4710e2e52a6f8d1c2 Mon Sep 17 00:00:00 2001
From: Dominyk Tiller <dominyktiller@gmail.com>
Date: Wed, 21 Sep 2016 23:34:18 +0100
Subject: [PATCH 4/5] sandbox: sandbox homebrew/tex by default

---
 Library/Homebrew/sandbox.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Library/Homebrew/sandbox.rb b/Library/Homebrew/sandbox.rb
index a21dacadd3..0d313b9f9d 100644
--- a/Library/Homebrew/sandbox.rb
+++ b/Library/Homebrew/sandbox.rb
@@ -8,6 +8,7 @@ class Sandbox
     homebrew/dupes
     homebrew/fuse
     homebrew/devel-only
+    homebrew/tex
   ].freeze
 
   def self.available?

From 3bbf62f37ac205cf4c1460049f3a6aab67862615 Mon Sep 17 00:00:00 2001
From: Dominyk Tiller <dominyktiller@gmail.com>
Date: Thu, 22 Sep 2016 05:11:41 +0100
Subject: [PATCH 5/5] sandbox: loosen restriction around Xcode caching

It doesn't really need to be as tight as it is currently, certainly outside brew
you can write to here without any special privileges beside being the user,
and being so can tight can cause issues on clean systems or systems where
Xcode hasn't been used before as exposed by https://github.com/Homebrew/homebrew-core/issues/4892.

Closes https://github.com/Homebrew/homebrew-core/issues/4892.
---
 Library/Homebrew/sandbox.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Library/Homebrew/sandbox.rb b/Library/Homebrew/sandbox.rb
index 0d313b9f9d..a7fc99d4a2 100644
--- a/Library/Homebrew/sandbox.rb
+++ b/Library/Homebrew/sandbox.rb
@@ -77,7 +77,7 @@ class Sandbox
 
   # Xcode projects expect access to certain cache/archive dirs.
   def allow_write_xcode
-    allow_write_path "/Users/#{ENV["USER"]}/Library/Developer/Xcode/DerivedData/"
+    allow_write_path "/Users/#{ENV["USER"]}/Library/Developer"
   end
 
   def allow_write_log(formula)